Why you should enable two-factor authentication everywhere

Two-factor authentication, also known as 2FA, is a good thing. It helps to protect your online accounts, by requiring both a passcode and a temporary code that’s sent to your mobile phone, in order to log in.

That way, even if someone steals your password, they still can’t log into your account if they don’t possess your mobile and the code.

Where possible, however, I also recommend you not use 2FA through SMS. That’s because messages can be hijacked and redirected to an attacker’s mobile phone instead of yours. For years, this was theoretically possible, but recently a group of thieves has actually exploited this weakness to empty victims’ bank accounts in Germany.

Similar to bank accounts in Singapore, German banks require that online banking customers need to get a code sent to their phone before transactions are approved. In this case, the attackers infected their victims’ computers with malware and collected their bank account details, including login passwords, and their mobile number.

They then purchased access to a rogue telecommunications provider, which let them redirect the victim’s mobile phone messages to their own mobile phones. This gave them access to the 2FA codes.

So what should you do instead?

Many sites nowadays also offer 2FA authentication through apps like Authy. By scanning a QR code, the site and Authy create a time-based ‘secret key,’ and the app can then generate temporary 2FA codes for you to log into your account, even when you don’t have a data connection on your smartphone.

Google, Facebook, and Twitter are among the popular sites that offer this option. So instead of having codes sent to your mobile phone through SMS, they’re generated on your device. Even if attackers redirect your messages, they still won’t get the login codes.

Is using 2FA more troublesome than not using it? Yes, of course, it is. But convenience is always in a tug of war with security, and when it comes to valuable accounts like your email, I’d recommend you err on the side of security more often than not.